Lazarus and the tale of three RATs

2022-09-08 • Cisco Talos •

http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html

#VSingle #MagicRAT #YamaBot #T1082 #T1090 #T1140 #T1560 #T1083 #T1053 #T1003 #T1219 #T1543 #T1190 #T1590 #T1087 #T1547 #T1562 #T1608 #T1070 #T1033 #T1518 #T1021 #T1136

Thumbnail for Lazarus and the tale of three RATs

Cisco Talos observed Lazarus Group activity from February to July 2022 against energy providers in the United States, Canada, Japan and other regions, assessing the campaign as North Korean state-sponsored espionage aimed at long-term access and data theft. Initial access came through exploitation of exposed VMware Horizon servers, including Log4Shell, followed by reverse shells, reconnaissance, Windows Defender impairment, toolkit downloads and lateral movement. The intrusions deployed Lazarus-linked implants VSingle and YamaBot, as well as a newly identified MagicRAT implant, with VSingle used for further reconnaissance, exfiltration and manual backdooring. Talos noted overlaps with earlier AhnLab, CISA, JPCERT/CC and Kaspersky reporting, including shared infrastructure such as 84[.]38.133[.]145 and similar VMware exploitation patterns, underscoring Lazarus’ continued focus on critical infrastructure espionage.

Indicators of Compromise

Type	Value	First Seen	Last Seen
HASH	dda53eee2c5cb0abdbf5242f5e82f4d…	2022-09-08	2024-07-25
HASH	c2904dc8bbb569536c742fca0c51a76…	2022-09-08	2024-07-25
HASH	8ce219552e235dcaf1c694be122d633…	2022-09-08	2024-07-25
HASH	90fb0cd574155fd8667d20f97ac464e…	2022-09-08	2024-07-25
IPv4	146.4.21.94	2022-09-08	2023-09-22
IPv4	109.248.150.13	2022-09-08	2023-09-22
IPv4	40.121.90.194	2022-09-08	2023-09-12
HASH	586f30907c3849c363145bfdcdabe3e…	2022-04-27	2023-02-09
HASH	2963a90eb9e499258a67d8231a31240…	2022-09-08	2022-09-08
HASH	912018ab3c6b16b39ee84f17745ff0c…	2022-09-08	2022-09-08
HASH	05732e84de58a3cc142535431b3aa04…	2022-09-08	2022-09-08
HASH	caf6739d50366e18c855e2206a86f64…	2022-09-08	2022-09-08
HASH	16f413862efda3aba631d8a7ae2bfff…	2022-09-08	2022-09-08
HASH	6fbb771cd168b5d076525805d010ae0…	2022-09-08	2022-09-08
DOMAIN	mudeungsan.or.kr	2022-09-08	2022-09-08
IPv4	54.68.42.4	2022-09-08	2022-09-08
IPv4	104.155.149.103	2022-09-08	2022-09-08
IPv4	185.29.8.162	2022-09-08	2022-09-08
IPv4	192.186.183.133	2022-09-08	2022-09-08
IPv4	46.183.221.109	2022-09-08	2022-09-08
IPv4	213.180.180.154	2022-06-30	2022-09-08
IPv4	84.38.133.145	2022-05-12	2022-09-08
IPv4	155.94.210.11	2022-04-28	2022-09-08
HASH	5a73fdd0c4d0deea80fa13121503b47…	2022-04-27	2022-09-08
DOMAIN	semiconductboard.com	2022-04-27	2022-09-08
DOMAIN	cyancow.com	2022-04-27	2022-09-08
DOMAIN	tecnojournals.com	2022-04-27	2022-09-08
HASH	c92c158d7c37fea795114fa6491fe5f…	2021-04-27	2022-09-08

Related Reports

2022-09-07 • 35% Match

MagicRAT: Lazarus’ latest gateway into victim networks

Cisco Talos

#MagicRAT #T1053 #T1547

Shares tags: MagicRAT, T1053, T1547 • Same author: Cisco Talos • Published within a week

2019-08-26 • 27% Match

Kimsuky

MITRE

#Kimsuky #G0094 #T1082 #T1140 #T1005 #T1041 #T1555 #T1560 #T1112 #T1083 #T1036 #T1027 #T1567 #T1071 #T1204 #T1552 #T1057 #T1053 #T1566 #T1102 #T1059 #T1003 #T1105 #T1219 #T1055 #T1543 #T1078 #T1133 #T1218 #T1190 #T1588 #T1114 #T1098 #T1593 #T1589 #T1016 #T1587 #T1111 #T1591 #T1585 #T1598 #T1583 #T1594 #T1557 #T1547 #T1562 #T1608 #T1546 #T1070 #T1074 #T1056 #T1586 #T1176 #T1553 #T1012 #T1534 #T1007 #T1518 #T1021 #T1040 #T1564 #T1584 #T1136 #T1505 #T1550

Shares tags: T1082, T1140, T1560

2022-08-24 • 25% Match

귀신(Gwisin) 랜섬웨어 공격 전략 분석 리포트

SKShildus

#Ransomware #Gwisin #T1059.003 #T1140 #T1587.001 #T1041 #T1608.001 #T1083 #T1589.001 #T1490 #T1486 #T1590 #T1003.001 #T1021.001 #T1047 #T1036.003 #T1021.002 #T1021.006 #T1110 #T1021.004 #T1595.002 #T1070.001 #T1218.007 #T0807

Shares tags: T1140, T1083, T1590 • Published within a month

2022-04-29 • 25% Match

Cyber Threats 2021: A Year in Retrospect

PWC

#Trend #BlackBanshee #BlackAlicanto #T1082 #T1059.003 #T1090 #T1005 #T1070.004 #T1041 #T1113 #T1555 #T1560 #T1071.001 #T1112 #T1083 #T1204.001 #T1036 #T1027 #T1204.002 #T1071 #T1124 #T1204 #T1057 #T1059.005 #T1566.001 #T1547.001 #T1053.005 #T1132.001 #T1566 #T1059 #T1003 #T1105 #T1620 #T1486 #T1135 #T1078 #T1548 #T1190 #T1592 #T1049 #T1087 #T1589 #T1074.001 #T1591 #T1547 #T1068 #T1573 #T1095 #T1048 #T1608 #T1070 #T1056 #T1036.007 #T1614.001 #T1033 #T1110 #T1221 #T1132 #T1570 #T1021 #T1615 #T1482 #T1210 #T1069 #T1595 #T1039 #T1016.001

Shares tags: T1082, T1090, T1560

2024-07-19 • 24% Match

APT Quarterly Highlights : Q2 2024

Cyfirma

#Trend #Andariel #Kimsuky #MoonstoneSleet #Lazarus #T1082 #T1059.003 #T1090 #T1140 #T1005 #T1070.004 #T1041 #T1113 #T1555 #T1560 #T1071.001 #T1046 #T1112 #T1115 #T1083 #T1497 #T1056.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1071 #T1124 #T1222 #T1552 #T1057 #T1583.003 #T1518.001 #T1547.001 #T1053.005 #T1539 #T1608.005 #T1583.001 #T1059.001 #T1053 #T1552.001 #T1566 #T1059 #T1003 #T1497.001 #T1102.001 #T1574.002 #T1562.001 #T1490 #T1486 #T1129 #T1133 #T1571 #T1548 #T1190 #T1203 #T1564.001 #T1087 #T1562.004 #T1218.011 #T1070.006 #T1547 #T1068 #T1614 #T1573 #T1095 #T1562 #T1070 #T1047 #T1056 #T1176 #T1010 #T1033 #T1569.002 #T1543.003 #T1485 #T1012 #T1202 #T1087.002 #T1021.004 #T1222.001 #T1518 #T1564.003 #T1505.003 #T1069.002 #T1564 #T1595.002 #T1027.005 #T1070.001 #T1056.004 #T1584

Shares tags: T1082, T1090, T1140

2017-05-31 • 24% Match

Lazarus Group

MITRE

#G0032 #T1082 #T1090 #T1140 #T1005 #T1041 #T1560 #T1046 #T1083 #T1497 #T1036 #T1027 #T1567 #T1071 #T1124 #T1204 #T1057 #T1053 #T1566 #T1102 #T1059 #T1001 #T1105 #T1055 #T1620 #T1543 #T1489 #T1078 #T1008 #T1571 #T1218 #T1220 #T1588 #T1203 #T1189 #T1049 #T1574 #T1098 #T1087 #T1593 #T1589 #T1016 #T1587 #T1591 #T1585 #T1583 #T1557 #T1547 #T1614 #T1106 #T1573 #T1048 #T1562 #T1608 #T1070 #T1047 #T1074 #T1134 #T1056 #T1529 #T1010 #T1553 #T1033 #T1485 #T1012 #T1110 #T1534 #T1104 #T1202 #T1221 #T1132 #T1021 #T1561 #T1564 #T1584 #T0865 #T1542 #T1491

Shares tags: T1082, T1090, T1140

« Back